cyral 4.16.3, Apr 14 25

cyral 4.16.3 published on Monday, Apr 14, 2025 by cyralinc

cyral.PolicyRule

Explore with Pulumi AI

cyral 4.16.3 published on Monday, Apr 14, 2025 by cyralinc

# cyral.PolicyRule (Resource)

DEPRECATED For control planes >= v4.15, use resource cyral.PolicyV2 instead.

Import ID syntax is {policy_id}/{policy_rule_id}, where {policy_rule_id} is the ID of the policy rule in the Cyral Control Plane.

Create PolicyRule Resource

Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.

new PolicyRule(name: string, args: PolicyRuleArgs, opts?: CustomResourceOptions);

@overload
def PolicyRule(resource_name: str,
               args: PolicyRuleArgs,
               opts: Optional[ResourceOptions] = None)

@overload
def PolicyRule(resource_name: str,
               opts: Optional[ResourceOptions] = None,
               policy_id: Optional[str] = None,
               cyral_policy_rule_id: Optional[str] = None,
               deletes: Optional[Sequence[PolicyRuleDeleteArgs]] = None,
               hosts: Optional[Sequence[str]] = None,
               identities: Optional[PolicyRuleIdentitiesArgs] = None,
               reads: Optional[Sequence[PolicyRuleReadArgs]] = None,
               updates: Optional[Sequence[PolicyRuleUpdateArgs]] = None)

func NewPolicyRule(ctx *Context, name string, args PolicyRuleArgs, opts ...ResourceOption) (*PolicyRule, error)

public PolicyRule(string name, PolicyRuleArgs args, CustomResourceOptions? opts = null)

public PolicyRule(String name, PolicyRuleArgs args)
public PolicyRule(String name, PolicyRuleArgs args, CustomResourceOptions options)

type: cyral:PolicyRule
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.

Parameters

name string: The unique name of the resource.
args PolicyRuleArgs: The arguments to resource properties.
opts CustomResourceOptions: Bag of options to control resource's behavior.

resource_name str: The unique name of the resource.
args PolicyRuleArgs: The arguments to resource properties.
opts ResourceOptions: Bag of options to control resource's behavior.

ctx Context: Context object for the current deployment.
name string: The unique name of the resource.
args PolicyRuleArgs: The arguments to resource properties.
opts ResourceOption: Bag of options to control resource's behavior.

name string: The unique name of the resource.
args PolicyRuleArgs: The arguments to resource properties.
opts CustomResourceOptions: Bag of options to control resource's behavior.

name String: The unique name of the resource.
args PolicyRuleArgs: The arguments to resource properties.
options CustomResourceOptions: Bag of options to control resource's behavior.

Constructor example

The following reference example uses placeholder values for all input properties.

TypeScript
Python
Go
C#
Java
YAML

var policyRuleResource = new Cyral.PolicyRule("policyRuleResource", new()
{
    PolicyId = "string",
    CyralPolicyRuleId = "string",
    Deletes = new[]
    {
        new Cyral.Inputs.PolicyRuleDeleteArgs
        {
            Datas = new[]
            {
                "string",
            },
            Rows = 0,
            AdditionalChecks = "string",
            DatasetRewrites = new[]
            {
                new Cyral.Inputs.PolicyRuleDeleteDatasetRewriteArgs
                {
                    Dataset = "string",
                    Parameters = new[]
                    {
                        "string",
                    },
                    Repo = "string",
                    Substitution = "string",
                },
            },
            RateLimit = 0,
            Severity = "string",
        },
    },
    Hosts = new[]
    {
        "string",
    },
    Identities = new Cyral.Inputs.PolicyRuleIdentitiesArgs
    {
        DbRoles = new[]
        {
            "string",
        },
        Groups = new[]
        {
            "string",
        },
        Services = new[]
        {
            "string",
        },
        Users = new[]
        {
            "string",
        },
    },
    Reads = new[]
    {
        new Cyral.Inputs.PolicyRuleReadArgs
        {
            Datas = new[]
            {
                "string",
            },
            Rows = 0,
            AdditionalChecks = "string",
            DatasetRewrites = new[]
            {
                new Cyral.Inputs.PolicyRuleReadDatasetRewriteArgs
                {
                    Dataset = "string",
                    Parameters = new[]
                    {
                        "string",
                    },
                    Repo = "string",
                    Substitution = "string",
                },
            },
            RateLimit = 0,
            Severity = "string",
        },
    },
    Updates = new[]
    {
        new Cyral.Inputs.PolicyRuleUpdateArgs
        {
            Datas = new[]
            {
                "string",
            },
            Rows = 0,
            AdditionalChecks = "string",
            DatasetRewrites = new[]
            {
                new Cyral.Inputs.PolicyRuleUpdateDatasetRewriteArgs
                {
                    Dataset = "string",
                    Parameters = new[]
                    {
                        "string",
                    },
                    Repo = "string",
                    Substitution = "string",
                },
            },
            RateLimit = 0,
            Severity = "string",
        },
    },
});

example, err := cyral.NewPolicyRule(ctx, "policyRuleResource", &cyral.PolicyRuleArgs{
PolicyId: pulumi.String("string"),
CyralPolicyRuleId: pulumi.String("string"),
Deletes: .PolicyRuleDeleteArray{
&.PolicyRuleDeleteArgs{
Datas: pulumi.StringArray{
pulumi.String("string"),
},
Rows: pulumi.Float64(0),
AdditionalChecks: pulumi.String("string"),
DatasetRewrites: .PolicyRuleDeleteDatasetRewriteArray{
&.PolicyRuleDeleteDatasetRewriteArgs{
Dataset: pulumi.String("string"),
Parameters: pulumi.StringArray{
pulumi.String("string"),
},
Repo: pulumi.String("string"),
Substitution: pulumi.String("string"),
},
},
RateLimit: pulumi.Float64(0),
Severity: pulumi.String("string"),
},
},
Hosts: pulumi.StringArray{
pulumi.String("string"),
},
Identities: &.PolicyRuleIdentitiesArgs{
DbRoles: pulumi.StringArray{
pulumi.String("string"),
},
Groups: pulumi.StringArray{
pulumi.String("string"),
},
Services: pulumi.StringArray{
pulumi.String("string"),
},
Users: pulumi.StringArray{
pulumi.String("string"),
},
},
Reads: .PolicyRuleReadArray{
&.PolicyRuleReadArgs{
Datas: pulumi.StringArray{
pulumi.String("string"),
},
Rows: pulumi.Float64(0),
AdditionalChecks: pulumi.String("string"),
DatasetRewrites: .PolicyRuleReadDatasetRewriteArray{
&.PolicyRuleReadDatasetRewriteArgs{
Dataset: pulumi.String("string"),
Parameters: pulumi.StringArray{
pulumi.String("string"),
},
Repo: pulumi.String("string"),
Substitution: pulumi.String("string"),
},
},
RateLimit: pulumi.Float64(0),
Severity: pulumi.String("string"),
},
},
Updates: .PolicyRuleUpdateArray{
&.PolicyRuleUpdateArgs{
Datas: pulumi.StringArray{
pulumi.String("string"),
},
Rows: pulumi.Float64(0),
AdditionalChecks: pulumi.String("string"),
DatasetRewrites: .PolicyRuleUpdateDatasetRewriteArray{
&.PolicyRuleUpdateDatasetRewriteArgs{
Dataset: pulumi.String("string"),
Parameters: pulumi.StringArray{
pulumi.String("string"),
},
Repo: pulumi.String("string"),
Substitution: pulumi.String("string"),
},
},
RateLimit: pulumi.Float64(0),
Severity: pulumi.String("string"),
},
},
})

var policyRuleResource = new PolicyRule("policyRuleResource", PolicyRuleArgs.builder()
    .policyId("string")
    .cyralPolicyRuleId("string")
    .deletes(PolicyRuleDeleteArgs.builder()
        .datas("string")
        .rows(0)
        .additionalChecks("string")
        .datasetRewrites(PolicyRuleDeleteDatasetRewriteArgs.builder()
            .dataset("string")
            .parameters("string")
            .repo("string")
            .substitution("string")
            .build())
        .rateLimit(0)
        .severity("string")
        .build())
    .hosts("string")
    .identities(PolicyRuleIdentitiesArgs.builder()
        .dbRoles("string")
        .groups("string")
        .services("string")
        .users("string")
        .build())
    .reads(PolicyRuleReadArgs.builder()
        .datas("string")
        .rows(0)
        .additionalChecks("string")
        .datasetRewrites(PolicyRuleReadDatasetRewriteArgs.builder()
            .dataset("string")
            .parameters("string")
            .repo("string")
            .substitution("string")
            .build())
        .rateLimit(0)
        .severity("string")
        .build())
    .updates(PolicyRuleUpdateArgs.builder()
        .datas("string")
        .rows(0)
        .additionalChecks("string")
        .datasetRewrites(PolicyRuleUpdateDatasetRewriteArgs.builder()
            .dataset("string")
            .parameters("string")
            .repo("string")
            .substitution("string")
            .build())
        .rateLimit(0)
        .severity("string")
        .build())
    .build());

policy_rule_resource = cyral.PolicyRule("policyRuleResource",
    policy_id="string",
    cyral_policy_rule_id="string",
    deletes=[{
        "datas": ["string"],
        "rows": 0,
        "additional_checks": "string",
        "dataset_rewrites": [{
            "dataset": "string",
            "parameters": ["string"],
            "repo": "string",
            "substitution": "string",
        }],
        "rate_limit": 0,
        "severity": "string",
    }],
    hosts=["string"],
    identities={
        "db_roles": ["string"],
        "groups": ["string"],
        "services": ["string"],
        "users": ["string"],
    },
    reads=[{
        "datas": ["string"],
        "rows": 0,
        "additional_checks": "string",
        "dataset_rewrites": [{
            "dataset": "string",
            "parameters": ["string"],
            "repo": "string",
            "substitution": "string",
        }],
        "rate_limit": 0,
        "severity": "string",
    }],
    updates=[{
        "datas": ["string"],
        "rows": 0,
        "additional_checks": "string",
        "dataset_rewrites": [{
            "dataset": "string",
            "parameters": ["string"],
            "repo": "string",
            "substitution": "string",
        }],
        "rate_limit": 0,
        "severity": "string",
    }])

const policyRuleResource = new cyral.PolicyRule("policyRuleResource", {
    policyId: "string",
    cyralPolicyRuleId: "string",
    deletes: [{
        datas: ["string"],
        rows: 0,
        additionalChecks: "string",
        datasetRewrites: [{
            dataset: "string",
            parameters: ["string"],
            repo: "string",
            substitution: "string",
        }],
        rateLimit: 0,
        severity: "string",
    }],
    hosts: ["string"],
    identities: {
        dbRoles: ["string"],
        groups: ["string"],
        services: ["string"],
        users: ["string"],
    },
    reads: [{
        datas: ["string"],
        rows: 0,
        additionalChecks: "string",
        datasetRewrites: [{
            dataset: "string",
            parameters: ["string"],
            repo: "string",
            substitution: "string",
        }],
        rateLimit: 0,
        severity: "string",
    }],
    updates: [{
        datas: ["string"],
        rows: 0,
        additionalChecks: "string",
        datasetRewrites: [{
            dataset: "string",
            parameters: ["string"],
            repo: "string",
            substitution: "string",
        }],
        rateLimit: 0,
        severity: "string",
    }],
});

type: cyral:PolicyRule
properties:
    cyralPolicyRuleId: string
    deletes:
        - additionalChecks: string
          datas:
            - string
          datasetRewrites:
            - dataset: string
              parameters:
                - string
              repo: string
              substitution: string
          rateLimit: 0
          rows: 0
          severity: string
    hosts:
        - string
    identities:
        dbRoles:
            - string
        groups:
            - string
        services:
            - string
        users:
            - string
    policyId: string
    reads:
        - additionalChecks: string
          datas:
            - string
          datasetRewrites:
            - dataset: string
              parameters:
                - string
              repo: string
              substitution: string
          rateLimit: 0
          rows: 0
          severity: string
    updates:
        - additionalChecks: string
          datas:
            - string
          datasetRewrites:
            - dataset: string
              parameters:
                - string
              repo: string
              substitution: string
          rateLimit: 0
          rows: 0
          severity: string

PolicyRule Resource Properties

To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.

Inputs

In Python, inputs that are objects can be passed either as argument classes or as dictionary literals.

The PolicyRule resource accepts the following input properties:

PolicyId string: The ID of the policy you are adding this rule to.
CyralPolicyRuleId string: The ID of this resource.
Deletes List<PolicyRuleDelete>: A contexted rule for accesses of the type delete.
Hosts List<string>: Hosts specification that limits access to only those users connecting from a certain network location.
Identities PolicyRuleIdentities: Identities specifies the people, applications, or groups this rule applies to. Every rule except your default rule has one. It can have 4 fields: db_roles, groups, users and services.
Reads List<PolicyRuleRead>: A contexted rule for accesses of the type read.
Updates List<PolicyRuleUpdate>: A contexted rule for accesses of the type update.

PolicyId string: The ID of the policy you are adding this rule to.
CyralPolicyRuleId string: The ID of this resource.
Deletes []PolicyRuleDeleteArgs: A contexted rule for accesses of the type delete.
Hosts []string: Hosts specification that limits access to only those users connecting from a certain network location.
Identities PolicyRuleIdentitiesArgs: Identities specifies the people, applications, or groups this rule applies to. Every rule except your default rule has one. It can have 4 fields: db_roles, groups, users and services.
Reads []PolicyRuleReadArgs: A contexted rule for accesses of the type read.
Updates []PolicyRuleUpdateArgs: A contexted rule for accesses of the type update.

policyId String: The ID of the policy you are adding this rule to.
cyralPolicyRuleId String: The ID of this resource.
deletes List<PolicyRuleDelete>: A contexted rule for accesses of the type delete.
hosts List<String>: Hosts specification that limits access to only those users connecting from a certain network location.
identities PolicyRuleIdentities: Identities specifies the people, applications, or groups this rule applies to. Every rule except your default rule has one. It can have 4 fields: db_roles, groups, users and services.
reads List<PolicyRuleRead>: A contexted rule for accesses of the type read.
updates List<PolicyRuleUpdate>: A contexted rule for accesses of the type update.

policyId string: The ID of the policy you are adding this rule to.
cyralPolicyRuleId string: The ID of this resource.
deletes PolicyRuleDelete[]: A contexted rule for accesses of the type delete.
hosts string[]: Hosts specification that limits access to only those users connecting from a certain network location.
identities PolicyRuleIdentities: Identities specifies the people, applications, or groups this rule applies to. Every rule except your default rule has one. It can have 4 fields: db_roles, groups, users and services.
reads PolicyRuleRead[]: A contexted rule for accesses of the type read.
updates PolicyRuleUpdate[]: A contexted rule for accesses of the type update.

policy_id str: The ID of the policy you are adding this rule to.
cyral_policy_rule_id str: The ID of this resource.
deletes Sequence[PolicyRuleDeleteArgs]: A contexted rule for accesses of the type delete.
hosts Sequence[str]: Hosts specification that limits access to only those users connecting from a certain network location.
identities PolicyRuleIdentitiesArgs: Identities specifies the people, applications, or groups this rule applies to. Every rule except your default rule has one. It can have 4 fields: db_roles, groups, users and services.
reads Sequence[PolicyRuleReadArgs]: A contexted rule for accesses of the type read.
updates Sequence[PolicyRuleUpdateArgs]: A contexted rule for accesses of the type update.

policyId String: The ID of the policy you are adding this rule to.
cyralPolicyRuleId String: The ID of this resource.
deletes List<Property Map>: A contexted rule for accesses of the type delete.
hosts List<String>: Hosts specification that limits access to only those users connecting from a certain network location.
identities Property Map: Identities specifies the people, applications, or groups this rule applies to. Every rule except your default rule has one. It can have 4 fields: db_roles, groups, users and services.
reads List<Property Map>: A contexted rule for accesses of the type read.
updates List<Property Map>: A contexted rule for accesses of the type update.

Outputs

All input properties are implicitly available as output properties. Additionally, the PolicyRule resource produces the following output properties:

Id string: The provider-assigned unique ID for this managed resource.
PolicyRuleId string: The ID of the policy rule.

Id string: The provider-assigned unique ID for this managed resource.
PolicyRuleId string: The ID of the policy rule.

id String: The provider-assigned unique ID for this managed resource.
policyRuleId String: The ID of the policy rule.

id string: The provider-assigned unique ID for this managed resource.
policyRuleId string: The ID of the policy rule.

id str: The provider-assigned unique ID for this managed resource.
policy_rule_id str: The ID of the policy rule.

id String: The provider-assigned unique ID for this managed resource.
policyRuleId String: The ID of the policy rule.

Look up Existing PolicyRule Resource

Get an existing PolicyRule resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

TypeScript
Python
Go
C#
Java
YAML

public static get(name: string, id: Input<ID>, state?: PolicyRuleState, opts?: CustomResourceOptions): PolicyRule

@staticmethod
def get(resource_name: str,
        id: str,
        opts: Optional[ResourceOptions] = None,
        cyral_policy_rule_id: Optional[str] = None,
        deletes: Optional[Sequence[PolicyRuleDeleteArgs]] = None,
        hosts: Optional[Sequence[str]] = None,
        identities: Optional[PolicyRuleIdentitiesArgs] = None,
        policy_id: Optional[str] = None,
        policy_rule_id: Optional[str] = None,
        reads: Optional[Sequence[PolicyRuleReadArgs]] = None,
        updates: Optional[Sequence[PolicyRuleUpdateArgs]] = None) -> PolicyRule

func GetPolicyRule(ctx *Context, name string, id IDInput, state *PolicyRuleState, opts ...ResourceOption) (*PolicyRule, error)

public static PolicyRule Get(string name, Input<string> id, PolicyRuleState? state, CustomResourceOptions? opts = null)

public static PolicyRule get(String name, Output<String> id, PolicyRuleState state, CustomResourceOptions options)

resources:  _:    type: cyral:PolicyRule    get:      id: ${id}

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

resource_name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

The following state arguments are supported:

CyralPolicyRuleId string: The ID of this resource.
Deletes List<PolicyRuleDelete>: A contexted rule for accesses of the type delete.
Hosts List<string>: Hosts specification that limits access to only those users connecting from a certain network location.
Identities PolicyRuleIdentities: Identities specifies the people, applications, or groups this rule applies to. Every rule except your default rule has one. It can have 4 fields: db_roles, groups, users and services.
PolicyId string: The ID of the policy you are adding this rule to.
PolicyRuleId string: The ID of the policy rule.
Reads List<PolicyRuleRead>: A contexted rule for accesses of the type read.
Updates List<PolicyRuleUpdate>: A contexted rule for accesses of the type update.

CyralPolicyRuleId string: The ID of this resource.
Deletes []PolicyRuleDeleteArgs: A contexted rule for accesses of the type delete.
Hosts []string: Hosts specification that limits access to only those users connecting from a certain network location.
Identities PolicyRuleIdentitiesArgs: Identities specifies the people, applications, or groups this rule applies to. Every rule except your default rule has one. It can have 4 fields: db_roles, groups, users and services.
PolicyId string: The ID of the policy you are adding this rule to.
PolicyRuleId string: The ID of the policy rule.
Reads []PolicyRuleReadArgs: A contexted rule for accesses of the type read.
Updates []PolicyRuleUpdateArgs: A contexted rule for accesses of the type update.

cyralPolicyRuleId String: The ID of this resource.
deletes List<PolicyRuleDelete>: A contexted rule for accesses of the type delete.
hosts List<String>: Hosts specification that limits access to only those users connecting from a certain network location.
identities PolicyRuleIdentities: Identities specifies the people, applications, or groups this rule applies to. Every rule except your default rule has one. It can have 4 fields: db_roles, groups, users and services.
policyId String: The ID of the policy you are adding this rule to.
policyRuleId String: The ID of the policy rule.
reads List<PolicyRuleRead>: A contexted rule for accesses of the type read.
updates List<PolicyRuleUpdate>: A contexted rule for accesses of the type update.

cyralPolicyRuleId string: The ID of this resource.
deletes PolicyRuleDelete[]: A contexted rule for accesses of the type delete.
hosts string[]: Hosts specification that limits access to only those users connecting from a certain network location.
identities PolicyRuleIdentities: Identities specifies the people, applications, or groups this rule applies to. Every rule except your default rule has one. It can have 4 fields: db_roles, groups, users and services.
policyId string: The ID of the policy you are adding this rule to.
policyRuleId string: The ID of the policy rule.
reads PolicyRuleRead[]: A contexted rule for accesses of the type read.
updates PolicyRuleUpdate[]: A contexted rule for accesses of the type update.

cyral_policy_rule_id str: The ID of this resource.
deletes Sequence[PolicyRuleDeleteArgs]: A contexted rule for accesses of the type delete.
hosts Sequence[str]: Hosts specification that limits access to only those users connecting from a certain network location.
identities PolicyRuleIdentitiesArgs: Identities specifies the people, applications, or groups this rule applies to. Every rule except your default rule has one. It can have 4 fields: db_roles, groups, users and services.
policy_id str: The ID of the policy you are adding this rule to.
policy_rule_id str: The ID of the policy rule.
reads Sequence[PolicyRuleReadArgs]: A contexted rule for accesses of the type read.
updates Sequence[PolicyRuleUpdateArgs]: A contexted rule for accesses of the type update.

cyralPolicyRuleId String: The ID of this resource.
deletes List<Property Map>: A contexted rule for accesses of the type delete.
hosts List<String>: Hosts specification that limits access to only those users connecting from a certain network location.
identities Property Map: Identities specifies the people, applications, or groups this rule applies to. Every rule except your default rule has one. It can have 4 fields: db_roles, groups, users and services.
policyId String: The ID of the policy you are adding this rule to.
policyRuleId String: The ID of the policy rule.
reads List<Property Map>: A contexted rule for accesses of the type read.
updates List<Property Map>: A contexted rule for accesses of the type update.

Supporting Types

PolicyRuleDelete
, PolicyRuleDeleteArgs

Datas List<string>: The data locations protected by this rule. Use * if you want to define any data location. For more information, see the policy rules documentation.
Rows double: The number of records (for example, rows or documents) that can be accessed/affected in a single statement. Use positive integer numbers to define how many records. If you want to define any number of records, set to -1.
AdditionalChecks string: Constraints on the data access specified in Rego. See Additional checks.
DatasetRewrites List<PolicyRuleDeleteDatasetRewrite>: Defines how requests should be rewritten in the case of policy violations. See Request rewriting.
RateLimit double: Rate Limit specifies the limit of calls that a user can make within a given time period.
Severity string: severity level that's recorded when someone violate this rule. This is an informational value. Settings: (low | medium | high). If not specified, the severity is considered to be low.

Datas []string: The data locations protected by this rule. Use * if you want to define any data location. For more information, see the policy rules documentation.
Rows float64: The number of records (for example, rows or documents) that can be accessed/affected in a single statement. Use positive integer numbers to define how many records. If you want to define any number of records, set to -1.
AdditionalChecks string: Constraints on the data access specified in Rego. See Additional checks.
DatasetRewrites []PolicyRuleDeleteDatasetRewrite: Defines how requests should be rewritten in the case of policy violations. See Request rewriting.
RateLimit float64: Rate Limit specifies the limit of calls that a user can make within a given time period.
Severity string: severity level that's recorded when someone violate this rule. This is an informational value. Settings: (low | medium | high). If not specified, the severity is considered to be low.

datas List<String>: The data locations protected by this rule. Use * if you want to define any data location. For more information, see the policy rules documentation.
rows Double: The number of records (for example, rows or documents) that can be accessed/affected in a single statement. Use positive integer numbers to define how many records. If you want to define any number of records, set to -1.
additionalChecks String: Constraints on the data access specified in Rego. See Additional checks.
datasetRewrites List<PolicyRuleDeleteDatasetRewrite>: Defines how requests should be rewritten in the case of policy violations. See Request rewriting.
rateLimit Double: Rate Limit specifies the limit of calls that a user can make within a given time period.
severity String: severity level that's recorded when someone violate this rule. This is an informational value. Settings: (low | medium | high). If not specified, the severity is considered to be low.

datas string[]: The data locations protected by this rule. Use * if you want to define any data location. For more information, see the policy rules documentation.
rows number: The number of records (for example, rows or documents) that can be accessed/affected in a single statement. Use positive integer numbers to define how many records. If you want to define any number of records, set to -1.
additionalChecks string: Constraints on the data access specified in Rego. See Additional checks.
datasetRewrites PolicyRuleDeleteDatasetRewrite[]: Defines how requests should be rewritten in the case of policy violations. See Request rewriting.
rateLimit number: Rate Limit specifies the limit of calls that a user can make within a given time period.
severity string: severity level that's recorded when someone violate this rule. This is an informational value. Settings: (low | medium | high). If not specified, the severity is considered to be low.

datas Sequence[str]: The data locations protected by this rule. Use * if you want to define any data location. For more information, see the policy rules documentation.
rows float: The number of records (for example, rows or documents) that can be accessed/affected in a single statement. Use positive integer numbers to define how many records. If you want to define any number of records, set to -1.
additional_checks str: Constraints on the data access specified in Rego. See Additional checks.
dataset_rewrites Sequence[PolicyRuleDeleteDatasetRewrite]: Defines how requests should be rewritten in the case of policy violations. See Request rewriting.
rate_limit float: Rate Limit specifies the limit of calls that a user can make within a given time period.
severity str: severity level that's recorded when someone violate this rule. This is an informational value. Settings: (low | medium | high). If not specified, the severity is considered to be low.

datas List<String>: The data locations protected by this rule. Use * if you want to define any data location. For more information, see the policy rules documentation.
rows Number: The number of records (for example, rows or documents) that can be accessed/affected in a single statement. Use positive integer numbers to define how many records. If you want to define any number of records, set to -1.
additionalChecks String: Constraints on the data access specified in Rego. See Additional checks.
datasetRewrites List<Property Map>: Defines how requests should be rewritten in the case of policy violations. See Request rewriting.
rateLimit Number: Rate Limit specifies the limit of calls that a user can make within a given time period.
severity String: severity level that's recorded when someone violate this rule. This is an informational value. Settings: (low | medium | high). If not specified, the severity is considered to be low.

PolicyRuleDeleteDatasetRewrite
, PolicyRuleDeleteDatasetRewriteArgs

Dataset string: The dataset that should be rewritten.In the case of Snowflake, this denotes a fully qualified table name in the form: <database>.<schema>.<table>
Parameters List<string>: The set of parameters used in the substitution request, these are references to fields in the activity log as described in the Additional Checks section.
Repo string: The name of the repository that the rewrite applies to.
Substitution string: The request used to substitute references to the dataset.

Dataset string: The dataset that should be rewritten.In the case of Snowflake, this denotes a fully qualified table name in the form: <database>.<schema>.<table>
Parameters []string: The set of parameters used in the substitution request, these are references to fields in the activity log as described in the Additional Checks section.
Repo string: The name of the repository that the rewrite applies to.
Substitution string: The request used to substitute references to the dataset.

dataset String: The dataset that should be rewritten.In the case of Snowflake, this denotes a fully qualified table name in the form: <database>.<schema>.<table>
parameters List<String>: The set of parameters used in the substitution request, these are references to fields in the activity log as described in the Additional Checks section.
repo String: The name of the repository that the rewrite applies to.
substitution String: The request used to substitute references to the dataset.

dataset string: The dataset that should be rewritten.In the case of Snowflake, this denotes a fully qualified table name in the form: <database>.<schema>.<table>
parameters string[]: The set of parameters used in the substitution request, these are references to fields in the activity log as described in the Additional Checks section.
repo string: The name of the repository that the rewrite applies to.
substitution string: The request used to substitute references to the dataset.

dataset str: The dataset that should be rewritten.In the case of Snowflake, this denotes a fully qualified table name in the form: <database>.<schema>.<table>
parameters Sequence[str]: The set of parameters used in the substitution request, these are references to fields in the activity log as described in the Additional Checks section.
repo str: The name of the repository that the rewrite applies to.
substitution str: The request used to substitute references to the dataset.

dataset String: The dataset that should be rewritten.In the case of Snowflake, this denotes a fully qualified table name in the form: <database>.<schema>.<table>
parameters List<String>: The set of parameters used in the substitution request, these are references to fields in the activity log as described in the Additional Checks section.
repo String: The name of the repository that the rewrite applies to.
substitution String: The request used to substitute references to the dataset.

PolicyRuleIdentities
, PolicyRuleIdentitiesArgs

DbRoles List<string>: Database roles that this rule will apply to.
Groups List<string>: Groups that this rule will apply to.
Services List<string>: Services that this rule will apply to.
Users List<string>: Users that this rule will apply to.

DbRoles []string: Database roles that this rule will apply to.
Groups []string: Groups that this rule will apply to.
Services []string: Services that this rule will apply to.
Users []string: Users that this rule will apply to.

dbRoles List<String>: Database roles that this rule will apply to.
groups List<String>: Groups that this rule will apply to.
services List<String>: Services that this rule will apply to.
users List<String>: Users that this rule will apply to.

dbRoles string[]: Database roles that this rule will apply to.
groups string[]: Groups that this rule will apply to.
services string[]: Services that this rule will apply to.
users string[]: Users that this rule will apply to.

db_roles Sequence[str]: Database roles that this rule will apply to.
groups Sequence[str]: Groups that this rule will apply to.
services Sequence[str]: Services that this rule will apply to.
users Sequence[str]: Users that this rule will apply to.

dbRoles List<String>: Database roles that this rule will apply to.
groups List<String>: Groups that this rule will apply to.
services List<String>: Services that this rule will apply to.
users List<String>: Users that this rule will apply to.

PolicyRuleRead
, PolicyRuleReadArgs

Datas List<string>: The data locations protected by this rule. Use * if you want to define any data location. For more information, see the policy rules documentation.
Rows double: The number of records (for example, rows or documents) that can be accessed/affected in a single statement. Use positive integer numbers to define how many records. If you want to define any number of records, set to -1.
AdditionalChecks string: Constraints on the data access specified in Rego. See Additional checks.
DatasetRewrites List<PolicyRuleReadDatasetRewrite>: Defines how requests should be rewritten in the case of policy violations. See Request rewriting.
RateLimit double: Rate Limit specifies the limit of calls that a user can make within a given time period.
Severity string: severity level that's recorded when someone violate this rule. This is an informational value. Settings: (low | medium | high). If not specified, the severity is considered to be low.

Datas []string: The data locations protected by this rule. Use * if you want to define any data location. For more information, see the policy rules documentation.
Rows float64: The number of records (for example, rows or documents) that can be accessed/affected in a single statement. Use positive integer numbers to define how many records. If you want to define any number of records, set to -1.
AdditionalChecks string: Constraints on the data access specified in Rego. See Additional checks.
DatasetRewrites []PolicyRuleReadDatasetRewrite: Defines how requests should be rewritten in the case of policy violations. See Request rewriting.
RateLimit float64: Rate Limit specifies the limit of calls that a user can make within a given time period.
Severity string: severity level that's recorded when someone violate this rule. This is an informational value. Settings: (low | medium | high). If not specified, the severity is considered to be low.

datas List<String>: The data locations protected by this rule. Use * if you want to define any data location. For more information, see the policy rules documentation.
rows Double: The number of records (for example, rows or documents) that can be accessed/affected in a single statement. Use positive integer numbers to define how many records. If you want to define any number of records, set to -1.
additionalChecks String: Constraints on the data access specified in Rego. See Additional checks.
datasetRewrites List<PolicyRuleReadDatasetRewrite>: Defines how requests should be rewritten in the case of policy violations. See Request rewriting.
rateLimit Double: Rate Limit specifies the limit of calls that a user can make within a given time period.
severity String: severity level that's recorded when someone violate this rule. This is an informational value. Settings: (low | medium | high). If not specified, the severity is considered to be low.

datas string[]: The data locations protected by this rule. Use * if you want to define any data location. For more information, see the policy rules documentation.
rows number: The number of records (for example, rows or documents) that can be accessed/affected in a single statement. Use positive integer numbers to define how many records. If you want to define any number of records, set to -1.
additionalChecks string: Constraints on the data access specified in Rego. See Additional checks.
datasetRewrites PolicyRuleReadDatasetRewrite[]: Defines how requests should be rewritten in the case of policy violations. See Request rewriting.
rateLimit number: Rate Limit specifies the limit of calls that a user can make within a given time period.
severity string: severity level that's recorded when someone violate this rule. This is an informational value. Settings: (low | medium | high). If not specified, the severity is considered to be low.

datas Sequence[str]: The data locations protected by this rule. Use * if you want to define any data location. For more information, see the policy rules documentation.
rows float: The number of records (for example, rows or documents) that can be accessed/affected in a single statement. Use positive integer numbers to define how many records. If you want to define any number of records, set to -1.
additional_checks str: Constraints on the data access specified in Rego. See Additional checks.
dataset_rewrites Sequence[PolicyRuleReadDatasetRewrite]: Defines how requests should be rewritten in the case of policy violations. See Request rewriting.
rate_limit float: Rate Limit specifies the limit of calls that a user can make within a given time period.
severity str: severity level that's recorded when someone violate this rule. This is an informational value. Settings: (low | medium | high). If not specified, the severity is considered to be low.

datas List<String>: The data locations protected by this rule. Use * if you want to define any data location. For more information, see the policy rules documentation.
rows Number: The number of records (for example, rows or documents) that can be accessed/affected in a single statement. Use positive integer numbers to define how many records. If you want to define any number of records, set to -1.
additionalChecks String: Constraints on the data access specified in Rego. See Additional checks.
datasetRewrites List<Property Map>: Defines how requests should be rewritten in the case of policy violations. See Request rewriting.
rateLimit Number: Rate Limit specifies the limit of calls that a user can make within a given time period.
severity String: severity level that's recorded when someone violate this rule. This is an informational value. Settings: (low | medium | high). If not specified, the severity is considered to be low.

PolicyRuleReadDatasetRewrite
, PolicyRuleReadDatasetRewriteArgs

Dataset string: The dataset that should be rewritten.In the case of Snowflake, this denotes a fully qualified table name in the form: <database>.<schema>.<table>
Parameters List<string>: The set of parameters used in the substitution request, these are references to fields in the activity log as described in the Additional Checks section.
Repo string: The name of the repository that the rewrite applies to.
Substitution string: The request used to substitute references to the dataset.

Dataset string: The dataset that should be rewritten.In the case of Snowflake, this denotes a fully qualified table name in the form: <database>.<schema>.<table>
Parameters []string: The set of parameters used in the substitution request, these are references to fields in the activity log as described in the Additional Checks section.
Repo string: The name of the repository that the rewrite applies to.
Substitution string: The request used to substitute references to the dataset.

dataset String: The dataset that should be rewritten.In the case of Snowflake, this denotes a fully qualified table name in the form: <database>.<schema>.<table>
parameters List<String>: The set of parameters used in the substitution request, these are references to fields in the activity log as described in the Additional Checks section.
repo String: The name of the repository that the rewrite applies to.
substitution String: The request used to substitute references to the dataset.

dataset string: The dataset that should be rewritten.In the case of Snowflake, this denotes a fully qualified table name in the form: <database>.<schema>.<table>
parameters string[]: The set of parameters used in the substitution request, these are references to fields in the activity log as described in the Additional Checks section.
repo string: The name of the repository that the rewrite applies to.
substitution string: The request used to substitute references to the dataset.

dataset str: The dataset that should be rewritten.In the case of Snowflake, this denotes a fully qualified table name in the form: <database>.<schema>.<table>
parameters Sequence[str]: The set of parameters used in the substitution request, these are references to fields in the activity log as described in the Additional Checks section.
repo str: The name of the repository that the rewrite applies to.
substitution str: The request used to substitute references to the dataset.

dataset String: The dataset that should be rewritten.In the case of Snowflake, this denotes a fully qualified table name in the form: <database>.<schema>.<table>
parameters List<String>: The set of parameters used in the substitution request, these are references to fields in the activity log as described in the Additional Checks section.
repo String: The name of the repository that the rewrite applies to.
substitution String: The request used to substitute references to the dataset.

PolicyRuleUpdate
, PolicyRuleUpdateArgs

Datas List<string>: The data locations protected by this rule. Use * if you want to define any data location. For more information, see the policy rules documentation.
Rows double: The number of records (for example, rows or documents) that can be accessed/affected in a single statement. Use positive integer numbers to define how many records. If you want to define any number of records, set to -1.
AdditionalChecks string: Constraints on the data access specified in Rego. See Additional checks.
DatasetRewrites List<PolicyRuleUpdateDatasetRewrite>: Defines how requests should be rewritten in the case of policy violations. See Request rewriting.
RateLimit double: Rate Limit specifies the limit of calls that a user can make within a given time period.
Severity string: severity level that's recorded when someone violate this rule. This is an informational value. Settings: (low | medium | high). If not specified, the severity is considered to be low.

Datas []string: The data locations protected by this rule. Use * if you want to define any data location. For more information, see the policy rules documentation.
Rows float64: The number of records (for example, rows or documents) that can be accessed/affected in a single statement. Use positive integer numbers to define how many records. If you want to define any number of records, set to -1.
AdditionalChecks string: Constraints on the data access specified in Rego. See Additional checks.
DatasetRewrites []PolicyRuleUpdateDatasetRewrite: Defines how requests should be rewritten in the case of policy violations. See Request rewriting.
RateLimit float64: Rate Limit specifies the limit of calls that a user can make within a given time period.
Severity string: severity level that's recorded when someone violate this rule. This is an informational value. Settings: (low | medium | high). If not specified, the severity is considered to be low.

datas List<String>: The data locations protected by this rule. Use * if you want to define any data location. For more information, see the policy rules documentation.
rows Double: The number of records (for example, rows or documents) that can be accessed/affected in a single statement. Use positive integer numbers to define how many records. If you want to define any number of records, set to -1.
additionalChecks String: Constraints on the data access specified in Rego. See Additional checks.
datasetRewrites List<PolicyRuleUpdateDatasetRewrite>: Defines how requests should be rewritten in the case of policy violations. See Request rewriting.
rateLimit Double: Rate Limit specifies the limit of calls that a user can make within a given time period.
severity String: severity level that's recorded when someone violate this rule. This is an informational value. Settings: (low | medium | high). If not specified, the severity is considered to be low.

datas string[]: The data locations protected by this rule. Use * if you want to define any data location. For more information, see the policy rules documentation.
rows number: The number of records (for example, rows or documents) that can be accessed/affected in a single statement. Use positive integer numbers to define how many records. If you want to define any number of records, set to -1.
additionalChecks string: Constraints on the data access specified in Rego. See Additional checks.
datasetRewrites PolicyRuleUpdateDatasetRewrite[]: Defines how requests should be rewritten in the case of policy violations. See Request rewriting.
rateLimit number: Rate Limit specifies the limit of calls that a user can make within a given time period.
severity string: severity level that's recorded when someone violate this rule. This is an informational value. Settings: (low | medium | high). If not specified, the severity is considered to be low.

datas Sequence[str]: The data locations protected by this rule. Use * if you want to define any data location. For more information, see the policy rules documentation.
rows float: The number of records (for example, rows or documents) that can be accessed/affected in a single statement. Use positive integer numbers to define how many records. If you want to define any number of records, set to -1.
additional_checks str: Constraints on the data access specified in Rego. See Additional checks.
dataset_rewrites Sequence[PolicyRuleUpdateDatasetRewrite]: Defines how requests should be rewritten in the case of policy violations. See Request rewriting.
rate_limit float: Rate Limit specifies the limit of calls that a user can make within a given time period.
severity str: severity level that's recorded when someone violate this rule. This is an informational value. Settings: (low | medium | high). If not specified, the severity is considered to be low.

datas List<String>: The data locations protected by this rule. Use * if you want to define any data location. For more information, see the policy rules documentation.
rows Number: The number of records (for example, rows or documents) that can be accessed/affected in a single statement. Use positive integer numbers to define how many records. If you want to define any number of records, set to -1.
additionalChecks String: Constraints on the data access specified in Rego. See Additional checks.
datasetRewrites List<Property Map>: Defines how requests should be rewritten in the case of policy violations. See Request rewriting.
rateLimit Number: Rate Limit specifies the limit of calls that a user can make within a given time period.
severity String: severity level that's recorded when someone violate this rule. This is an informational value. Settings: (low | medium | high). If not specified, the severity is considered to be low.

PolicyRuleUpdateDatasetRewrite
, PolicyRuleUpdateDatasetRewriteArgs

Dataset string: The dataset that should be rewritten.In the case of Snowflake, this denotes a fully qualified table name in the form: <database>.<schema>.<table>
Parameters List<string>: The set of parameters used in the substitution request, these are references to fields in the activity log as described in the Additional Checks section.
Repo string: The name of the repository that the rewrite applies to.
Substitution string: The request used to substitute references to the dataset.

Dataset string: The dataset that should be rewritten.In the case of Snowflake, this denotes a fully qualified table name in the form: <database>.<schema>.<table>
Parameters []string: The set of parameters used in the substitution request, these are references to fields in the activity log as described in the Additional Checks section.
Repo string: The name of the repository that the rewrite applies to.
Substitution string: The request used to substitute references to the dataset.

dataset String: The dataset that should be rewritten.In the case of Snowflake, this denotes a fully qualified table name in the form: <database>.<schema>.<table>
parameters List<String>: The set of parameters used in the substitution request, these are references to fields in the activity log as described in the Additional Checks section.
repo String: The name of the repository that the rewrite applies to.
substitution String: The request used to substitute references to the dataset.

dataset string: The dataset that should be rewritten.In the case of Snowflake, this denotes a fully qualified table name in the form: <database>.<schema>.<table>
parameters string[]: The set of parameters used in the substitution request, these are references to fields in the activity log as described in the Additional Checks section.
repo string: The name of the repository that the rewrite applies to.
substitution string: The request used to substitute references to the dataset.

dataset str: The dataset that should be rewritten.In the case of Snowflake, this denotes a fully qualified table name in the form: <database>.<schema>.<table>
parameters Sequence[str]: The set of parameters used in the substitution request, these are references to fields in the activity log as described in the Additional Checks section.
repo str: The name of the repository that the rewrite applies to.
substitution str: The request used to substitute references to the dataset.

dataset String: The dataset that should be rewritten.In the case of Snowflake, this denotes a fully qualified table name in the form: <database>.<schema>.<table>
parameters List<String>: The set of parameters used in the substitution request, these are references to fields in the activity log as described in the Additional Checks section.
repo String: The name of the repository that the rewrite applies to.
substitution String: The request used to substitute references to the dataset.

Package Details

Repository: cyral cyralinc/terraform-provider-cyral
License
Notes: This Pulumi package is based on the cyral Terraform Provider.

cyral 4.16.3 published on Monday, Apr 14, 2025 by cyralinc

cyralinc/terraform-provider-cyral

cyral.PolicyRule

On this page

On this page

# cyral.PolicyRule (Resource)

Create PolicyRule Resource

Constructor syntax

Parameters

Constructor example

PolicyRule Resource Properties

Inputs

Outputs

Look up Existing PolicyRule Resource

Supporting Types

PolicyRuleDelete
, PolicyRuleDeleteArgs

PolicyRuleDeleteDatasetRewrite
, PolicyRuleDeleteDatasetRewriteArgs

PolicyRuleIdentities
, PolicyRuleIdentitiesArgs

PolicyRuleRead
, PolicyRuleReadArgs

PolicyRuleReadDatasetRewrite
, PolicyRuleReadDatasetRewriteArgs

PolicyRuleUpdate
, PolicyRuleUpdateArgs

PolicyRuleUpdateDatasetRewrite
, PolicyRuleUpdateDatasetRewriteArgs

Package Details

On this page

On this page

cyral.PolicyRule

On this page

On this page

# cyral.PolicyRule (Resource)

Create PolicyRule Resource

Constructor syntax

Parameters

Constructor example

PolicyRule Resource Properties

Inputs

Outputs

Look up Existing PolicyRule Resource

Supporting Types

PolicyRuleDelete, PolicyRuleDeleteArgs

PolicyRuleDeleteDatasetRewrite, PolicyRuleDeleteDatasetRewriteArgs

PolicyRuleIdentities, PolicyRuleIdentitiesArgs

PolicyRuleRead, PolicyRuleReadArgs

PolicyRuleReadDatasetRewrite, PolicyRuleReadDatasetRewriteArgs

PolicyRuleUpdate, PolicyRuleUpdateArgs

PolicyRuleUpdateDatasetRewrite, PolicyRuleUpdateDatasetRewriteArgs

Package Details

On this page

On this page

PolicyRuleDelete
, PolicyRuleDeleteArgs

PolicyRuleDeleteDatasetRewrite
, PolicyRuleDeleteDatasetRewriteArgs

PolicyRuleIdentities
, PolicyRuleIdentitiesArgs

PolicyRuleRead
, PolicyRuleReadArgs

PolicyRuleReadDatasetRewrite
, PolicyRuleReadDatasetRewriteArgs

PolicyRuleUpdate
, PolicyRuleUpdateArgs

PolicyRuleUpdateDatasetRewrite
, PolicyRuleUpdateDatasetRewriteArgs